Symantec Access Management

  • Private Community
 View Only

  • 1.  CA SPS Proxy Preserve Host

    Posted Jun 10, 2016 08:14 AM


    Hi,

    I have a SPS in the DMZ. This SPS is forwarding all requests to another SPS in the internal network. The second SPS has a agent and displays a fcc for users to be able to authenticate to access a protected resource that's on another application server. So in effect, I have two reverse proxies.

     

    My issue is that when the second agent pops up the login page, the target is the hostname of the second SPS. I need it to assume the hostname of the first proxy. I set enableproxypreservehost=yes on the virtual host of the second proxy. But this doesn't help. When I set enableproxypreservehost=yes on the first SPS, it throws a virtual host not properly configured error.

     

    How would I go about this?


    Regards,

    Anand.



  • 2.  Re: CA SPS Proxy Preserve Host

    Posted Jun 10, 2016 10:22 AM

    Hello Anand,

     

    For checking more on enableproxypreservehost, please visit below link:

    Preserve HOST Header Issue

     

    In your case, could you please share the proxyrules configured in both the SPS servers?

     

    Best Regards,

    Ashish Sharma



  • 3.  Re: CA SPS Proxy Preserve Host
    Best Answer

    Posted Jun 10, 2016 01:37 PM

    Anand

     

    ENABLEPROXYPRESERVEHOST maintains the value of HTTP_HOST Header that is send from a SPS to backend Server.

     

    When enabled on SPS (Yes), HTTP_HOST Header value is FQDN accessed on Browser.

    When disabled on SPS (No), HTTP_HOST Header value is FQDN of backend server set in proxyrules.xml.

     

    If your case.... ENABLEPROXYPRESERVEHOST maintains the HTTP_HOST Header that is send from a SPS (e.g. first SPS Server) to backend Server (e.g. Second SPS Server). Which means HTTP_HOST Header would be value of FQDN accessed on browser.

     

    NOTE : There is another two setting EnableRedirectRewrite and redirectrewritablehostnames. This also plays a major role in request flow, because it is 302 redirect to liogin page. Basically we need to analyse your request flows from Browser --> First SPS --> Second SPS and also Response from Second SPS --> First SPS --> Browser.

     

     

     

     

    • We should look into the Virtual Host Section in Server.conf and proxyrules.xml from the first SPS.
    • We should look into the Virtual Host Section in Server.conf and proxyrules.xml from the second SPS.
    • It would be good to have FQDN being accessed on browser . FQDN of backend SPS Server. Though most of this should be present in server.conf and proxyrules.xml.

     

     

    I would suggest set enableproxypreservehost=no in the Second SPS Server. Set enableproxypreservehost=yes only on first SPS Server. Now restart the SPS. Run the journey and check in WebAgentTrace logs of Second SPS what is the HTTP_HOST header value.

     

     

     

    The first step is to investigate, the TARGET because that is the first URL that you are accessing on the browser. When it passes through SPS-1 and SPS-2 what does SPS-2 WebAgentTrace see. You can also run a wireshark on SPS-2 to see traffic from SPS-1 and the HTTP_HOST Header value being sent from SPS-1. The HTTP_HOST Header value should always be FQDN accessed from the browser.

    • WebAgent Trace log from SPS-1 and SPS-2.
    • HTTP Browser Trace.
    • Optional (but recommended to have) : WireShark Trace from SPS-2 (trace only for incoming traffic from SPS-1).

     

    The second step is login page redirect and the TARGET query parameter. FQDN of the Login page and FQDN within TARGET in query parameter.

     

     

    One question I do have is does SPS-2 also proxy to backend server for the actual TARGET. If Yes, then enableproxypreservehost=(yes/no) also comes into play for SPS-2.

     

    Regards

     

    Hubert.